Tuesday, April 24, 2012

[Almost every country in the world protects its citizens' person information. Almost.]

This is an example of a Membership Application form that I needed to fill in to be able to rent a video. You'll notice that besides all the usual stuff, they have asked for my date of birth, ID number, employer. They need to know my next of kin which is interesting.. in case I die while hiring a video, at least they can get their video back. Not sure what it helps having my car registration number. I can just picture driving through a roadblock - "Mr Baranov... do you realise that your copy of Twilight is overdue by two days. For that I will give you a fine. Further, for even renting that video.. another fine."

The point is that there is a lot on this page that is unnecessary. Under the proposed Privacy Act, a company would have to be able to answer why each and every field is required for each and every form. Further, they would need to make sure that they protect your information to a reasonable amount of care. Further they would need to notify you if they suspect that your information is leaked. They would also have to contact you if they need more information or need to use the information for other purposes. And they would not be able to share this information with other companies.

Right now there is no legislation making it illegal for companies to share information (excluding credit information). This video shop could (I'm not saying they would) easily share all this gathered information with anyone they wanted and could even sell this information. Most people ignore spam sent to "Dear Sir" or such but spam made using this information could be sent to you and addressed "Dear Mr .....".

Also, since the company doesn't have to do any protection of information and doesn't need to notify anyone of a breach - this increases the risk of your information leaking. So lets look at two cases...

The information leaks and someone wants to infect your PC so they can use it to send spam or to use it to steal your money using something like Zeus... they send you an email addressed to you specifically looking as though they are from a garage. Since they know where you live, they can customise the email to be a garage in your area. They could also make it specify your registration number.... "Mr Baranov, I am from <Big Name Garage> in Blahblahville. Your car registration number EGG156GP was recently at our garage.....please look at this bill in pdf format". At this point you are either surprised or cross ("I never took my car to that garage!") Either way, you open the attached pdf to get more information and your PC is infected. You know not to open attachments from places you don't know but these people seem to know so much about you...

Alternatively, the thieves use the ID number to create a fake ID book. They use the employer information to create fake pay cheques and take out credit in your name. They have enough information above including your telephone numbers, address and even friends of yours. Even if the company granting the loan phones the company you work for, they would confirm employment ... "Yes, Allen works here"

I'm not picking on this particular video rental company (hence the company name covered) because all companies from big to small collect more information than they need and don't necessarily protect it to the best of their abilities and without laws in place they won't because protecting customer information is difficult and costly and breach notification is embarrassing for a company.

Almost all countries in the world have laws protecting their citizens and their information. South Africa has one of the best based on bits taken from the best Privacy legislation from around the world. It is currently in Bill form so it is not yet approved and is not binding as a law. Anyone who is concerned about their personal information, is sick of spam and nervous about hackers taking over their bank accounts should want this law to be passed as soon as possible.